* Rachel Hinton…
A “ransomware” group potentially linked to Russia has uploaded to a website scores of documents it says were stolen from Illinois Attorney General Kwame Raoul’s office over two weeks after the state’s top law enforcement officer first reported his office’s computer network was compromised.
Raoul had declined to publicly provide details of the hack, but on Thursday, he issued a follow-up statement, saying his office has set up a toll-free hotline for those seeking more information on the breach, which could include “names, addresses, email addresses, Social Security numbers, health insurance and medical information, tax information, and driver’s license numbers.” […]
The latest announcement comes after the ransomware group DoppelPaymer posted 68 documents it said are from the attorney general’s office, as well as other entities they’ve hit, on a website on which a user can find “private data of the companies which were hacked by DoppelPaymer.”
According to the website, the “companies decided to keep the leakage secret. And now their time to pay is over.”
This happened weeks ago and the AG’s office is only now finally telling the public about a ransomware attack? Before, all they would say was they were hacked.
* From the attorney general…
Attorney General Kwame Raoul today announced the Office of the Attorney General is notifying the public in accordance with state statute, of a ransomware attack that has compromised the office’s network. While the extent of the information compromised is currently under investigation, the Attorney General’s office is launching a toll-free hotline and providing additional information to the public via its website.
The Attorney General’s office, aided by law enforcement and external technology experts, continues to evaluate the full extent of the compromise, including identifying the information that was exposed and what was done with that information. At the same time, work is taking place around the clock to rebuild the office’s network. In the interim, the Attorney General’s office is launching a hotline that will go into operation at 8 a.m. Central time Friday. The Attorney General’s office is providing additional information to answer individuals’ questions and help them protect against identity theft.
“While we do not yet know with certainty what was compromised in the ransomware attack, we are working closely with federal law enforcement authorities and outside technology experts to determine what information was exposed, how this happened, and what we can do to ensure that such a compromise does not happen again,” Raoul said. “This process will take time, but I understand that members of the public may have questions now, which is why I am establishing a toll-free hotline and making information available online. I am committed to transparency throughout this very sensitive process and will continue to provide updates that do not jeopardize the progress of our ongoing investigation or the security of our network.”
What has since been identified as a ransomware attack was initially discovered in the early hours of Saturday, April 10 when employees were unable to access the office’s network. The office launched an immediate investigation and has maintained close contact with federal law enforcement and external technology experts to determine which network components have been compromised. The office has continued regular operations to the extent possible while efforts to rebuild the network are underway.
Illinois statute requires residents to be notified if their information may have been compromised by a data breach. Accordingly, a public notification and answers to frequently asked questions related to the network compromise are now available on the Attorney General’s website. The Attorney General’s office has not yet determined what personal information on its network is impacted. However, information from the public stored on the office’s network includes names, addresses, email addresses, Social Security numbers, health insurance and medical information, tax information, and driver’s license numbers. The Attorney General’s office routinely offers guidance to help residents protect themselves from identity theft, and today’s public notice details steps people can take to protect their identities.
Attorney General Raoul also announced a dedicated toll-free hotline staffed by Rust Consulting Inc., a company that specializes in legal notifications. Beginning Friday, individuals who have questions about the network compromise can call the Attorney General’s Computer Network Compromise Hotline at 1-833-688-1949, Monday through Friday between the hours of 8 a.m. and 5 p.m. Central time.
The Attorney General’s office continues to evaluate the extent of the network compromise by ransomware. Additional details about the compromise and the personal information impacted will be made available on the Attorney General’s website, to the extent possible, upon completion of the office’s internal investigation and its work with law enforcement and external technology experts.
That is some super-dense prose right there.
- Donnie Elgin - Friday, Apr 30, 21 @ 11:03 am:
“The leaked files include not only public information from court cases handled by the Illinois OAG, but also private documents that aren’t a part of the public record, according to security research firm Recorded Future, which detailed the leak in a post on its news portal The Record. The files contain personally identifiable information about state prisoners, their grievances and cases, according to the post”
https://threatpost.com/doppelpaymer-leaks-illinois-ag/165694/
- Ron Burgundy - Friday, Apr 30, 21 @ 11:19 am:
Of course the statute on data breach notification in IL requires notice to, guess who? I assumed the office notified itself promptly.
- Sangamo Girl - Friday, Apr 30, 21 @ 11:27 am:
And this is why I push back on every single request for my PII. My agency now requires my name, DL number, DL exp. date, and birthday on every single request . . . to use an Agency car. I don’t care how you encrypt the info, “stuff” happens.
- Fav Human - Friday, Apr 30, 21 @ 11:30 am:
malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network,” Microsoft’s researchers explain.
The company recommends that security administrators enforce a good credential hygiene, apply the principle of least privilege, and implement network segmentation to keep their environments protected.
Seems like the AG is running a loose ship.
The article is from Nov. 2019
https://www.securityweek.com/dopplepaymer-ransomware-spreads-compromised-credentials-microsoft
- Responsa - Friday, Apr 30, 21 @ 11:31 am:
Wow. It’s not a great day for Illinoisans who trusted the security of their lives and financial identities to the Attorney General’s office. One would expect the AG of all people to be more immediately forthcoming and aware of his responsibilities. Most especially, the people who experienced the trauma of IDES fraud must be so happy that Kwame opened up a special department/task force to “help” them where they had to identify themselves and detail the fraud. Ugh.
- zatoichi - Friday, Apr 30, 21 @ 12:01 pm:
=The AG’s office routinely offers guidance to help residents protect themselves from identity theft, and today’s public notice details steps people can take to protect their identities.=
They really want to say that in an article where they get hacked? How old is the current security system and who runs it? Looks like serious upgrades are needed yesterday.
- DuPage - Friday, Apr 30, 21 @ 12:12 pm:
As a law enforcement agency, they may have had routine access to all Illinois drivers license information. Will they disclose how many and how much information has been stolen?
- Franklin - Friday, Apr 30, 21 @ 12:17 pm:
They are currently pushing legislation to collect student loan data.
- Responsa - Friday, Apr 30, 21 @ 12:25 pm:
Please remember how you feel about this almost unbelievable breach as rational people from both political parties resist the idea of Illinois collecting personal and medical data for a vaccination passport.
- Rich Miller - Friday, Apr 30, 21 @ 12:28 pm:
===resist the idea of Illinois collecting personal and medical data for a vaccination passport===
LOLOL
Go take a nap.
- Anyone Remember - Friday, Apr 30, 21 @ 12:34 pm:
===My agency now requires … DL number … every single request . . . to use an Agency car.===
How else would you have your agency ensure you’re a licensed driver?
- Ed Equity - Friday, Apr 30, 21 @ 12:48 pm:
It was once a crazy idea that a terrorist would crash an airplane into a building, until it happened. This attack is only the staging for something much more substantial. When they have the passwords and credentials Russians, or more likely a non-government surrogate/terrorist group will attack our financial and power systems. It is not an “if” but a “when”. Just like we got caught off guard with COVID, we’re no where near ready for that much more deadly scenario. I hope this can serve as a prompt to get ready.
- Merica - Friday, Apr 30, 21 @ 1:14 pm:
The Russians have successfully hacked DOD and every major tech company, companies that spend billions on cyber security. They’ve also attacked many local and state governments.
No State, other government, or company can protect against this. The solution is on the federal level and likely to be involves a military and economic confrontation with Putin.
Hats off to the poor employees at the attorney general that have to deal with this and a pandemic. sucks.
- Skeptic - Friday, Apr 30, 21 @ 2:01 pm:
“How else would you have your agency ensure you’re a licensed driver?” You can do it without storing a copy of the data on a network (or a filing cabinet for that matter.) “Can I see you DL?” “Sure, here it is.” “Thank you, I’ll mark on the form that you have a valid DL.”
- all luck - Friday, Apr 30, 21 @ 2:03 pm:
It will be interesting to see how much they are able to rule out what has been hacked.
The AG defends almost all state employee WC claims and their database for claims would have all personal identification information including SSN of anyone who has ever had a WC claim.
- Candy Dogood - Friday, Apr 30, 21 @ 2:36 pm:
I’d put a lot of good money on the security breech that was exploited being a known issue that was not fixed or addressed with updates to software or hardware. I’d also put good money, though a little less, on it being specifically linked to a a server or network of PCs still running on Windows XP.
===The Russians have successfully hacked DOD and every major tech company===
And? This usually happens because of carelessness. See SolarWinds.
===No State, other government, or company can protect against this. ===
This isn’t even remotely true and pretending like it is true propagates this attitude that it can’t be helped. There are plenty of companies, agencies, and governments that don’t have their stuff hacked, stolen, or ransomed. You just have to actually prioritize providing adequate training and up to date software and I think we all know that state agencies and executive offices aren’t exactly known for developing tech skills and competencies and that there are a lot of people that frankly refuse to learn or take threats seriously.
===The AG defends almost all state employee WC claims and their database for claims would have all personal identification information including SSN of anyone who has ever had a WC claim.===
Relax. Equifax already made sure this was available to anyone who wanted it badly enough.
- JSS - Friday, Apr 30, 21 @ 3:24 pm:
The AG’s Office also receives unredacted records when FOIA requests are reviewed by the Public Access Counselor. This potentially could expose individuals who have absolutely no expectation the AG’s Office would be in possession of records pertaining to them.
- Still Waiting - Friday, Apr 30, 21 @ 3:25 pm:
The OMA/FOIA training portal has been down for a couple of weeks, at least. Not ideal when you have all these newly elected officials who have to complete training within 90 days of being seated.
- Sangamo Girl - Friday, Apr 30, 21 @ 3:29 pm:
What Skeptic said. There are plenty of ways to accomplish this goal without putting my PII at risk–every time I need to pick up a set of car keys.
- Hector - Friday, Apr 30, 21 @ 3:38 pm:
The irony is that its the AG’s office that’s charged with enforcing the state’s Privacy Act and policing the private sector on matters involving any breach in privacy and personal data.
- Three Dimensional Checkers - Friday, Apr 30, 21 @ 4:01 pm:
Not the prisoner grievances!
What is AG Raoul supposed to pay taxpayer money as ransome to a (alleged) Russian cybercrime gang? Or maybe his own money? I am sure that would have gone over great in the next election.